Self Improving Agent 1.0.2

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for agent self-improvement, but it asks agents to persist and promote conversation-derived learnings into future instruction files and optional global hooks without enough scoping or review safeguards.

Install only if you want an agent to keep durable learning records. Keep logging project-local by default, review any changes to CLAUDE.md, AGENTS.md, SOUL.md, TOOLS.md, or Copilot instructions before they are used, avoid global hooks unless you have audited the scripts, and redact secrets, personal data, raw transcripts, tokens, and full command outputs before anything is persisted or shared across sessions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The document states that the scripts 'only output text' and 'don't modify files or run commands,' but the configured hook type is explicitly 'command', which causes shell scripts to be executed by the agent runtime. This misleading security claim can cause operators to under-trust the risk of enabling hooks that execute local code with the same privileges as the agent.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The trigger phrases are broad enough to match ordinary user conversation, which can cause the agent to log interactions or invoke self-improvement behavior unexpectedly. In a skill that writes persistent records, ambiguous activation increases the chance of capturing unnecessary or sensitive user content without clear user intent.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The automatic logging guidance lacks clear boundaries on what should and should not be persisted, especially for corrections, knowledge gaps, and errors derived from user interactions. That ambiguity can lead to over-collection of conversation content, internal prompts, command output, or environment details into durable files and later promotion targets.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs agents to persist learnings, errors, and corrections to local markdown files, but it does not prominently warn that user interactions or sensitive operational details may be stored. In practice, users may not realize that their corrections, requests, command inputs, or outputs could become durable project artifacts.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: Using an empty matcher on UserPromptSubmit causes the hook to run for every prompt, greatly expanding the trigger surface and making the behavior persistent and pervasive. In this skill's context, that means a local command is invoked on all interactions, increasing the chance of prompt-derived data exposure, unwanted side effects, or abuse if the script is altered or replaced.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The user-level configuration enables the hook globally from the home directory, so it will affect all projects and prompts for that user. That persistence amplifies the blast radius of any script bug, compromise, or later modification, because the command will run across unrelated contexts and potentially sensitive repositories.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The Codex CLI example repeats the empty matcher pattern, again causing execution on every prompt without meaningful scoping. Because this is documentation intended for easy copy-paste adoption, it normalizes broad hook execution and increases the likelihood of unsafe deployment across another agent platform.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The skill explicitly encourages persisting broad user-provided and operational context into .learnings files and then promoting selected items into shared memory files. This creates a natural-language data retention risk because sensitive details can be copied from transient chats into long-lived local or repository-tracked documentation, where they may later be exposed to other users, agents, or commits.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The Clawdbot integration explicitly references reading session transcripts and using cross-session communication, which broadens exposure of prior conversation data beyond the original interaction. Even if intended for collaboration, this enables lateral disclosure of sensitive context between sessions without clear minimization, authorization, or need-to-know controls.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal